On Sun, Apr 03, 2022 at 07:45:47PM +0000, Andrew M.A. Cater wrote: [...] > > Indeed, all of this happens, usually without any explanation whatsoever. > > For whose benefit are such requirements constructured? Much of it is security theater. Someone (TM) up the chain can tick the checkbox "password security enforced". Then, the Rest of the Web (TM) goes forth and cargo-cults that, because that's how the Web is held together. [...] > Forcing passwords to change regularly may not be a good way to > maintain security - it can mean that people use password01, password02 > and things like that. Actually, NIST recommends [1] against forcing regular password change. Also they recommend against requirements as the above. What they do recommend is to check passwords against dictionaries (dictionary attack /is/ a thing happening out there). My personal policy? Use pwgen to generate a password. Write down the less-used in an encrypted medium. Use 8 chars for the less important, 12 for the somewhat more importants and 16 for the real fat ones (e.g. my LUKS passphrase, my backup encryption). The latter ones I use often, so I just keep them in my head. Never use semi-important passwords for two different "places". And oh, when some silly web site insists on special chars either consider not using that web site or, if I must, prepend a '#'. > With every good wish as ever Cheers [1] https://www.netsec.news/summary-of-the-nist-password-recommendations-for-2021/ -- t
Attachment:
signature.asc
Description: PGP signature